pixelserv-tls is a fork of pixelserv with added support for HTTPS - the tiny webserver that responds to all requests with "nothing" and yet particularly useful for whitelisting hosts on troubled websites, and for mining "big data" on adservers and trackers.
Certificates for adserver domains are automatically generated at real-time upon first request. All requests to adserver are optionally written to syslogd. The stats in text format are preserved, good for command line parsing. The same stats in HTML format are revamped to be more legible.
pixelserv-tls requires a Root CA cert to run. Assume OpenSSL already installed in your systems. Execute the following statements in a command shell:
cd /opt/var/cache/pixelservopenssl genrsa -out ca.key 1024openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"
These create a 1024-bit CA cert with Common Name "Pixelserv CA" in /opt/var/cache/pixelserv.
Note that installation of ca.cert on client OS is not mandatory but recommended. Clients without ca.crt will interact smoothly with pixelserv-tls.
Multiple ways to get it done. The simplest is to email yourself ca.crt. Go to your iOS device. Click on the attachment and follow the instructions.
Here is a guide by IBM that provides a bit more details.
Email yourself the CA cert as attachment. Double click on the attachment and follow on-screen instructions to import the certificate. I found this way the CA cert will be imported in "User" category instead of "System" category. That's no problem as the CA cert is still properly recognized. If people insist on importing into "System" certificates, try this Android guide.
In Terminal, type
sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain ca.crt
Note: since OS X El Capitan, System Integrity Protection need to be disabled first. Reboot, then run the above command line. System Integrity Protection can be enabled afterward. Here is a SIP tutorial to disable/enable System Integrity Protection. ca.crt need to be re-added after every OS update unfortunately.
Chrome/IE/Edge uses Root CA certs from Windows system-wide repository. Follow this Windows guide carefully to add ca.cert into the system-wide Root CAs.
Firefox manages its own repository of Root CAs. Follow this Firefox guide only if you also run Firefox.
A few examples of launching pixelserv-tls:
pixelserv-tls 192.168.1.1pixelserv-tls 192.168.1.1 -p 80 -p 8080 -k 443 -k 2443 -u admin
The first example runs pixelserv as nobody with non-root privilege. Listens on port 80 for HTTP and 443 for HTTPS. The second example additionally listens on 8080 for HTTP and 2443 for HTTPS, and runs as admin - the root account in ASUSWRT.
pixelserv-tls is now (circa April 2016) available on Entware-NG. Use opkg install pixelserv-tls to install on supported platforms including Asuswrt/Merlin.
Going forward binaries for Asuswrt/Merlin in Releases section will be provided only on requests.
$ pixelserv-tls --help
Usage:pixelserv-tls
ip_addr/hostname (all if omitted)
-2 (disable HTTP 204 reply to generate_204 URLs)
-f (stay in foreground - don't daemonize)
-k https_port (443 if omitted)
-l (log access to syslog)
-n i/f (all interfaces if omitted)
-o select_timeout (10 seconds)
-p http_port (80 if omitted)
-r (deprecated - ignored)
-R (disable redirect to encoded path in tracker links)
-s /relative_stats_html_URL (/servstats if omitted)
-t /relative_stats_txt_URL (/servstats.txt if omitted)
-u user ("nobody" if omitted)
-z path_to_https_certs (/opt/var/cache/pixelserv if omitted)
-k, -l and -z are new options. -k specifies one https port and use multiple times for more ports.
-l will log all ad requests to syslogd. If we don't specify in the command line, no logging which is the default. Access logging can generate lots of data. Either use it only when troubleshoot a browsing issue or you have a more capable syslog on your router (e.g. syslog-ng + logrotate from Entware).
-z specifies the path to certs storage. Each ad domain and its sub-domain will require one wildcard cert. Generated certs will be stored and re-used from there.
Stats are viewable by default at http://pixelservip/servstats.txt (for raw text format) or http://pixelservip/servstats for html format), where pixelserv ip is the ip address that pixelserv is listening on.
| Mnemonics | Example | Explanation |
| uts | 2d 17:50 | pixelserv uptime |
| log | 1 | logging access to syslog (0=disabled 1=enabled) |
| req | 18122 | total # of requests (HTTP, HTTPS, success, failure etc) |
| avg | 514 bytes | average length of request URL |
| rmx | 25965 bytes | maximum length of request URL |
| tav | 12 ms | average processing time (per request) |
| tmx | 17036 ms | maximum processing time (per request) |
| slh | 8824 | # of accepted HTTPS requests |
| slm | 5 | # of rejected HTTPS requests (missing certificate) |
| sle | 0 | # of rejected HTTPS requests (certificate available but bad) |
| slu | 14 | # of dropped HTTPS requests (unknown error) |
| nfe | 3830 | # of GET requests for server-side scripting |
| gif | 165 | # of GET requests for GIF |
| ico | 0 | # of GET requests for ICO |
| txt | 7895 | # of GET requests for Javascripts |
| jpg | 9 | # of GET requests for JPG |
| png | 6 | # of GET requests for PNG |
| swf | 0 | # of GET requests for SWF |
| sta | 7 | # of GET requests for HTML stats |
| stt | 0 | # of GET requests for plain text stats |
| ufe | 956 | # of GET requests /w unknown file extension |
| rdr | 799 | # of GET requests resulted in REDIRECT response |
| nou | 1 | # of GET requests /w empty URL |
| pth | 0 | # of GET requests /w malformed URL |
| 204 | 0 | # of GET requests (HTTP 204 response) |
| pst | 588 | # of POST requests (HTTP 501 response) |
| hed | 7 | # of HEAD requests (HTTP 501 response) |
| bad | 1 | # of unknown HTTP requests (HTTP 501 response) |
| err | 0 | # of dropped requests (failed to accept client connection) |
| tmo | 1030 | # of dropped requests (client timeout before connection accepted) |
| cls | 2828 | # of dropped requests (client disconnect before connection accepted) |
- pixelserv-tls: Pixelserv with support for HTTPS born here.
- pixelserv: The thread on LinksysInfo.org where the parent of this fork is produced.
- pixelserv-ddwrt: An even older thread of an early version of pixelserv.
- Page load time: Measure page load time in Google Chrome